Privacy Questions and Answers
This notice describes how npm, Inc., or npm for short, collects and uses data about you.
- What's most important?
- How does npm collect data about me?
- What data does npm collect about me, and why?
- How can I make choices about data collection?
- Where does npm keep data about me?
- How can I access data about me?
- Does npm comply with the EU General Data Protection Regulation?
- How can I change or erase data about me?
- Does the right to be forgotten cover unpublishing packages?
- How does npm notify others about published data that's erased?
- Does npm make automated decisions based on data about me?
- Does npm share data about me with others?
- Who can I contact about npm and my privacy?
- How can I find out about changes?
That depends on your personal situation, which is why you should read on and decide for yourself. But at a minimum, absolutely every npm user should understand:
The npm public registry is for making software available to everyone online.
But: Software comes from people, and says something about us.
So: Think carefully about what packages to publish, what data you put in those packages, and what others might do with that data.
Publishing a password or a private email address could obviously affect your privacy. But even one version of a small package with your name and email in it says a lot about you and your work.
If you find yourself in a jam, email email@example.com.
npm collects data about you:
when you use the
npxcommand or another program to access the npm public registry, Enterprise registries that npm hosts, private packages, and APIs for functionality like account and permissions management
when you browse the npm website, npmjs.com
when you use either the
npmcommand or the website to create an npm account, update your account, and sign up for npm services
when you send support, privacy, legal, and other requests to npm
when working with and researching current and potential customers
When researching potential customers, npm staff sometimes search the public World Wide Web or paid business databases. Otherwise, npm doesn't buy or receive data about you from data brokers or other private services.
When you use the
npm command, the
npx command, or other software to
work with the npm public registry, an Enterprise registry that npm hosts,
or private packages, npm logs data that might be identified to you:
a random, unique identifier, called
npm-session, for each time you run commands like
the names and versions of your project's dependencies, their dependencies, and so on, that come from the npm public registry, but not of other dependencies, like Git dependencies
the versions of Node.js, the
npmcommand, and the operating system you are using
npm-in-ciheader, showing whether the command was run on a continuous integration server
the scope of the package for which you ran
npm install, as an
refererheader that shows the command you ran, with any file or directory paths redacted
data about the software you're using to access the registry, such as the
network request data, such as the date and time, your IP address, and the URL
npm uses this data to:
fulfill your requests, such as by sending the packages you ask for
send you alerts about security vulnerabilities that may affect the software you're building, when you run
keep registries working quickly and reliably
debug and develop the
npmcommand and other software
defend registries from abuse and technical attacks
compile statistics on package usage and popularity
prepare reports on trends in the developer community
improve search results on the website
recommend packages that may be relevant to your work
npm usually deletes registry log entries with identifiable information within a few weeks, but may preserve logs longer, as needed in specific cases, like investigations of specific incidents. npm stores aggregate statistics indefinitely, but those statistics don't include data identifiable to you personally.
your IP address
your preferred language
the web browser software you use
the kind of computer you use
the website that referred you
npm uses data about how you use the website to:
optimize the website, so that it's quick and easy to use
diagnose and debug technical errors
defend the website from abuse and technical attacks
compile statistics on package popularity
compile statistics on the kinds of software and computers visitors use
compile statistics on visitor searches and needs, to guide development of new website pages and functionality
decide who to contact about about product announcements, service changes, and new features
npm usually deletes website log entries with identifiable information within a few weeks, but keeps entries for visitors with npm accounts, and visitors using paid services like Enterprise registries, longer. npm reviews log entries for those users twice a year, and deletes entries when they're no longer needed.
npm may preserve log entries for all kinds of visitors longer, as needed in specific cases, like investigation of specific incidents. npm stores aggregate statistics indefinitely, but those statistics don't include data identifiable to you personally.
Many features of npm services require an npm account. For example, you must have an npm account to publish packages to the npm public registry.
To create an npm account, npm requires a working email address and an available user name. npm uses this data to provide you access to features and identify you across npm services, publicly and within npm.
You do not have to give your personal or legal name to create an npm account. You can use a pseudonym instead. You can also open more than one account.
npm publishes account data for the whole world to see on user pages
like this one. npm also publishes
account data through the npm public registry and Enterprise registries
that npm hosts for others to find with commands like
npm owner ls tap.
If you give npm a personal name or names on social media like GitHub and Twitter through the website, npm publishes that data along with the email address and user name for the account. You don't have to give npm a personal name or any social media names, and you can erase this data at any time.
npm uses your email to:
notify you about packages published using your account
reset your password and help keep your account secure
add metadata to packages that you publish
contact you in special circumstances related to your account or packages
contact you about support requests
contact you about legal requests, like DMCA takedown requests and privacy complaints
announce new npm product offerings, service changes, and features
npm stores account data as long as the account stays open. When account data also appear in package data, npm stores that data as long as it stores the package.
When you use
npm publish or other software to publish packages to the
npm public registry, an Enterprise registry that npm hosts, or as a
private package, npm collects the contents of the package, plus
metadata, including your
account data. Other npm users may also publish packages that include
data about you, such as the fact that you contributed code to a package.
npm uses data in packages to provide those packages to you and others who request them:
When you publish a package to the npm public registry, or change a package from private to public, npm makes the package and metadata available to everyone, online.
When you publish a package to an Enterprise registry that npm hosts, or as a private package, npm makes all of that data available to other users according to how the registry or the private packages account is configured. You may be able to configure who can access the package, or that may be up to others, such as the administrator of your company's Enterprise registry.
Making package data available to others allows them to download, build on, and depend on your work. In the vast majority of cases, npm stores data in and metadata about every version of every package indefinitely, unless it's unpublished.
In some cases, however, package publishers can unpublish packages, erasing them from the public registry. Erased packages linger on for a short time in npm's public and private caches, but eventually disappear completely from npm's storage.
To sign up for paid services, npm requires your payment card data. npm itself does not collect or store enough information to charge your card itself. Rather, Stripe collects that data on npm's behalf, and gives npm security tokens that allow npm to create charges and subscriptions.
npm uses your payment card data only to charge for npm services.
npm instructs Stripe to store your payment card data only as long as you use paid npm services.
npm's sales and marketing teams collect information about npm users who might like to try npm paid services, as individuals or through organizations. npm also collects data about customer personnel, such as lists of people who need Enterprise registry accounts or access to channels for technical support. When npm's sales and marketing teams send email to current and potential customers, they collect data about whether those messages get read, and whether readers follow hyperlinks.
npm's sales team also uses public World Wide Web searches and paid business databases to research who users work for, and their positions, based on account data like name or email address. The vast majority of this data is publicly available.
npm uses data about current and potential customer personnel to:
ensure npm meets its obligations to provide access, support, and other services under contracts for paid services
decide which people to contact about product announcements, service changes, and new features
ensure that people who opt out do not receive any more messages about npm services and upgrades
keep track of how users express interest in npm products and services over time
decide who should receive email about product announcements, service changes, and new features
npm stores data about current and potential customers as only as long as they remain relevant for these purposes, reviews data collection practices and data collected each year, and deletes data that's no longer needed.
npm collects data about you when you send npm support requests, legal complaints, privacy inquiries, and business inquiries. Those data usually include your name and email address, and may include your company or other affiliation.
npm uses contact data to:
respond to you
compile aggregate statistics about correspondence
train support staff and other npm personnel
review the performance of npm personnel who respond
defend npm from legal claims
npm stores correspondence as long as it may be useful for these purposes.
You choose what data the
npm publish command includes in package data.
You can use an
file in your package to keep specific files out of the package. You can
also use a
files list in
to instruct npm to include only specific files that you name, in
addition to standard files like
LICENSE files, and
To double check the data that you will share in a package that you plan
to publish, run the
npm publish --dry-run command. If you are running
an older version of the
npm command, run the
npm pack command to
create a tarball), then
check its contents, such as with
tar tvzf $tarball.
To publish a package to the npm public registry, npm's terms of service require you to license npm to share it. However, your choice of public license for your package may affect what others can do with data about you in your package.
npm does not respond to the Do Not Track HTTP header.
npm stores account data, data about website use, data about registry use, and private packages on servers in the United States of America.
npm stores package data published to Enterprise registries that npm hosts, plus metadata about them, in cloud computing zones of customers' choosing.
npm distributes package data published to the npm public registry and metadata about those packages worldwide, via content delivery networks.
npm participates in the EU-US and Swiss-US Privacy Shields. Under the Privacy Shields:
npm must respond to questions and complaints about Privacy Shield principles within 45 days.
npm is subject to the investigatory and enforcement powers of the Federal Trade Commission.
npm is liable in cases of onward transfers to third parties.
npm commits to subject all personal data received in reliance on the Privacy Shields to the Privacy Shield Principles.
npm is required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
You can find the Privacy Shield list online at https://www.privacyshield.gov/list.
npm respects privacy rights under Regulation (EU) 2016/679, the European Union's General Data Protection Regulation (GDPR). Information that GDPR requires npm to give can be found throughout these privacy questions and answers. So can information about specific rights, like access, rectification, erasure, data portability, and objection to automated decision-making.
GDPR does not apply to everyone worldwide. But npm's policy is to do its best to offer all users the same privacy information, control, and protections, whether GDPR applies to them or not.
You can access your account data at any time by visiting your account page on www.npmjs.com. Your account page also lists all the packages published under your account or other accounts.
You can access package data by downloading the packages, as long as they're public or you have permission to access them.
You can change your personal account data and payment card data at any time by visiting your account settings page on www.npmjs.com. You can change account and payment data for Enterprise by emailing firstname.lastname@example.org.
You can close your npm account at any time through www.npmjs.com. Closing your account starts a process of erasing npm's records of your account data. Closing your account does not automatically erase packages published under your account.
npm's unpublish policy determines when you can erase packages from the npm public registry. The unpublish policy strikes a difficult balance between the purpose of publishing and hosting packages, others' reliance on what has been made public, and individual rights and freedoms.
If you have questions or problems using the website or
npm command to
change or delete data about you,
email email@example.com. If another user
improperly publishes personal data about you, in a package or otherwise,
Please note that while npm publishes notices about published data that's been erased, npm can't make everyone who has downloaded published package data or account data erase that data on your behalf. Choosing a public license, such as an open source software license, may encourage and allow storage, distribution, and use of package data indefinitely. Nearly all popular open source software licenses actually require preserving personal data that attributes the software to you, such as copyright notices, as a condition of permission for the software.
GDPR gives users the right to erase some data collected about them by others. GDPR also defines "personal data" broadly enough to cover package publisher and contributor metadata, and even copyright notices in license files. But GDPR requires a balance between privacy rights, other rights, and the public interest. The law itself makes a start, limiting the right to be forgotten to specific situations that don't apply to most packages, and making exceptions that do.
If you accidentally publish a package that threatens your privacy, or discover someone else has published a package that does, email firstname.lastname@example.org immediately. npm can and will take down packages in specific, exceptional situations to protect you, especially if others violate your privacy. Using npm to violate others' privacy is against our terms of service.
npm takes a few steps to notify others who may be copying data from the npm public registry that published data has been erased:
npm publishes new placeholder versions of some erased packages, with
READMEfiles that mention the package has been erased, and why.
npm's registry APIs, special software services that others use to copy data from the npm public registry, send update messages about packages that have been erased.
npm uses data in packages and data about how you use the registry to make decisions about whether the packages you publish are spam, promote scams, abuse others, or otherwise violate our terms of service. When Smyte decides that a package is likely in violation, npm blocks publishing the package or erases the package.
If you think your package has been wrongly blocked or erased, email email@example.com to reach an npm team member who can review the decision.
npm shares account data with others as mentioned in the section about account data.
npm shares package data with others as mentioned in the section about package data.
npm does not sell information about you to others. However, npm uses services provided by other companies to provide npm services. Some of those services may collect data about you independently, for their own purposes. All of the companies are based in the United States.
Some of these services may be used to collect information about your online activities across different websites.
You can send questions or complaints to:
Attention: Data Protection Officer
1999 Harrison Street #1150
Oakland, CA 94612
United States of America
European Union users with questions or complaints about GDPR compliance should also address npm's representative in the Union:
Telephone: +49 (0) 40 99999 - 3430
Mobile: +49 (0) 172 918 22 22
For complaints under the Privacy Shields, npm has a contract with JAMS, an independent alternative resolution provider based in the United States. If we can't resolve a complaint about Privacy Shield between us, you can submit a Privacy Shield claim through JAMS. Arbitrating through JAMS is free of charge to you. Under some circumstances, European Union users may invoke binding Privacy Shield arbitration, as a last resort.
For complaints under GDPR more generally, European Union users may lodge complaints with their local data protection supervisory authorities.
This version of npm's privacy questions and answers took effect May 4, 2018.
npm will announce the next version on the npm blog. In the meantime, npm may update its contact information by updating the page at https://www.npmjs.com/policies/privacy, without an announcement. npm may change how it announces changes in future privacy versions.
You can review the history of changes in the Git repository for npm's public policies.